On Nov 12, 2025, at 3:19 PM, Theo de Raadt <[email protected]> wrote:
> Here's a draft of new text which is much shorter: Looks good. (BIOCLOCK is presumably an no-op on an already-locked BPF descriptor.) > The first paragraph describes the mechanism, so the word "lock" in the > second paragraph doesn't feel unnatural. Presumably that's "lock" as in "lock down", i.e. "prevent anything unsafe from being done". > Additionally you asked: > >> I.e., you're not objecting to the text of that sentence, you're >> objecting to the reality that the sentence describes, i.e. "root gets >> a free pass". > > No, I'm also objecting to root being able to bypass this mechanism, That's what I meant by "root gets a free pass"; I was saying your objection was to root being allowed to do what it wants on a locked-down BPF descriptor, more than to the way the page stated that freedom. > so here's the kernel diff which makes root not special. The man page diff > above removed mention of the special case for root. I've reached out to > a few of our privsep-bpf tool developers to search for reason for root > to be special, and so far we've found no reason in our tree so far. Offhand I can't think of a use case for root being allowed to bypass the lockdown.
